Apr 072014
 

Introduction

Android is an open source operating system based on the Linux kernel, initially developed by Android Inc., which Google bought in 2005. Initially, Android was developed to support touch screen devices like smartphones. These devices support different types of screen locks, like swipe lock, PIN lock, pattern lock, gesture lock, facial lock, etc.

Swipe lock unlocks the screen just by swiping a defined area on the screen with your fingertips. PIN lock is when you enter a correct pin, the screen will be unlocked. Pattern lock unlocks the screen when the user creates a pattern by joining nine circles on the screen, which is already saved on your system. This article is only based on the pattern locking system and does not cover biometric locking systems available on the phones.

Understanding Android Pattern Locks

Android Forensics: How To Bypass The Android Phone Pattern Lock - 1

Figure 1: Android Pattern lock with numbering

Patterns are nothing but the path traced by the fingers on the nine circles with the number starting from 1 to 9 from top-left corner to the right bottom corner as shown in the figure above. If we select a pattern 1478, the pattern would look as shown in Figure 2.

Android Forensics How To Bypass The Android Phone Pattern Lock -2

Figure 2: Pattern for 1478

This pattern is saved with a 20-byte SHA-1 Hash. So the SHA-1 hash for 1478 will be “06CF96F30A7283FF7258FCEF5CF587ED51156C37” which is stored in a file named gesture.key in /data/system folder in Android’s internal memory.

The Catch

The catch to change the pattern is replace this file with a known pattern gesture.key file.

Prerequisite

  1. Debugging mode should be enabled.
  2. Android adb (Android Debugger Bridge) tool.
  3. AVD (Android Virtual Device) Manager Tool.
  4. Device USB Cable
  5. Device whose password needed to be changed

Methodology

Step 1

Start an AVD (Android Virtual Device), and create a pattern in the AVD. Open a command prompt. Execute the following command to check whether the AVD has been connected to the debugger or not.

1. adb devices

The output of the command should look as shown in Figure 3. If you see the name of your emulator on the screen, then your device is perfectly connected.

Android Forensics How To Bypass The Android Phone Pattern Lock -3

Figure 3: Output of adb devices

Step 2

Now pull out the gesture.key file from the AVD. For this execute the command that is mentioned below. This file is located in /data/system.

1. adb pull /data/system/gesture.key gesture.key

The gesture.key file will be pulled to your current working directory. Here the syntax of command is adb pull . Here my current working directory is my home folder. So the gesture.key file will be pulled out in my local file system in my home directory.

The output of the command is as shown n Figure 4.

Android Forensics How To Bypass The Android Phone Pattern Lock -4

Figure 4: Pulling out gesture.key file

Step 3

Now connect the other device, whose password is to be changed and close the AVD. For my example I will be using the same AVD. So now my password in my AVD is 1478 according to the pattern cell numbers. Figure 5 illustrates the pattern.

Android Forensics How To Bypass The Android Phone Pattern Lock -5

Figure 5: Current pattern of the Device

In next step, it will be shown how to change the pattern of new device to a known pattern from the previous AVD which was 1236. Figure 6 illustrates the new pattern.

Android Forensics How To Bypass The Android Phone Pattern Lock -6

Figure 6: The new pattern which is not stored in the AVD

Step 4

Now to change the password with a known pattern, we will push our known pattern file to the new device. The command for pushing a file into an android system is shown below. This file has to be pushed into /data/system of the new device.

adb push gesture.key /data/system/gesture.key

The gesture.key file will be pushed into the Android’s file system replacing the previous file. So now android will be having a new gesture file which contains a known password, and when we use this pattern to unlock the screen, the screen will be unlocked. The syntax for pushing a file into an Android system is adb push .

The output of the command is shown in Figure 7.

Android Forensics How To Bypass The Android Phone Pattern Lock -7

Figure 7: Pushing the known pattern file into the android system

Now this changes the pattern of the new device with a known pattern. Figure 8 illustrates the known pattern unlock.

Android Forensics How To Bypass The Android Phone Pattern Lock -8

Figure 8: Pattern replaced with a known pattern

Limitations

  • The device should be rooted
  • The device should have USB debugging mode enabled

Reference

You can also look for the SHA-1 Hash values of the gesture key and match it with the database to find out the pattern lock combination. For this you can use my python script (https://github.com/c0d3sh3lf/Android_Forensics) to automate the decoding process.

You can download the dictionary file from http://www.android-forensics.com/tools/AndroidGestureSHA1.rar (25 MB)

 

Sumit Shrivastava

A CISC, CHFI certified forensic investigator. Sumit Shrivastava has started his career as a Security Analyst Intern in Network Intelligence (I) Pvt. Ltd., Mumbai. Also working on on-going projects with the company with the professional tools for investigation.

  14 Responses to “Android Forensics: How To Bypass The Android Phone Pattern Lock”

  1. Good stuff. So this is basically like a sam file replacement theory in windows os.

  2. There seems to be some issues in this article.

    First the debug mode must be enabled on the phone prior to be unlocked, then you need to pull the file containing the pattern to replace it with your own. So if you can remove and add files to the phone, why couldn’t you do a physical dump instead? It seems pointless to me, but maybe I’m missing something?

    I don’t mean to undermine you by the comment, as the skills you demonstrate are impressive though.

  3. @Florian

    I appreciate your response. In this binary world, there are thousands of ways for doing a single thing. This is just one way of changing the pattern lock without unlocking the device. From the physical dump you cannot change the device lock but surely you get extract the password. In reference section I have also mentioned your point in a different manner. It is also mentioned in the limitations that the device should be rooted and should have USB Debugging mode enabled.

    Pulling the gesture file is just one time process. Once you have a known gesture file on your system you can replace it to ‘n’ number of android devices. So you just need to push that file into other devices.

  4. It is also possible to crack the SHA-1 hash in no time and reveal the original pattern.
    Search for “android gesture.key rainbow table”.

  5. This doesn’t work on android 4.3+, it has been patched.

  6. Another note here. I’m not sure if this is Samsung specific, but when I plug my phone with debugging enabled into a new PC, I have to allow the PC to connect to the debugger.

    The screen must be unlocked to answer the dialog.

    • This is for new devices which have Android 4.1+ and I guess it’s not Samsung specific. It is also there in other devices.

  7. This piecе of writing is truly a good one it assists new the web visitors, who are wishing in favor of blogging.

    Here is my weblog; SEO (Marylou)

  8. Great blog here! Also your website loads up very fast! What web host are you
    using? Can I get your affiliate link to your host? I wish my website loaded up
    as quickly as yours lol

  9. it doesn’t work for me it says a error :
    adb failed: permission denied.
    can you help me?? please contact my mail.

  10. Good stuff. Since this doesn’t work anymore, I guess the best work around is to deploy a reverse shell in the phone and then overwrite the file? (It has to be somewhere, right)?

  11. What’s up to every one, the contents present at this web page are truly
    awesome for people experience, well, keep up the good work fellows.

    Review my website – bing.com (Dusty)

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>